[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The cost of choices
Earl Hood wrote:
On July 28, 2005 at 16:57, Jim Fenton wrote:Note that this mainly a question of what the receiver does once it's
If someone outside the domain is an authorized sender, how about
delegating a key (selector) to them so that they can apply a first-party
signature? This can either be done on an individual-selector basis, or
it's even possible to delegate a selector hierarchy
(*.outsource._domainkey.example.com) to them.
And to extend it further, the SSP should provide the ability to
list which domains are allowed to do third-party signing. Otherwise,
if it is boolean switch, turning on the switch open you up to
I'm not seeing how this prevents a malicious domain from spoofing
the OP identity if the OP has third-party signatures enabled?
If you can provide a more detailed example, I would appreciate it.
a signature (eg, the RSA check succeeds). At that point, the receiver
to see if the signature binds to an outside address -- like say the From
If there isn't a intact signature bound to the From: address, the
check the signing policy of the From: domain. If it is o=!, then it
the other potentially valid signatures as if they didn't exist.